Georgia Department of Human Services reports breach affecting more than 45,000 individuals

The Georgia Department of Human Services (Georgia DHS) on October 9 reported a security incident that potentially affected 45,732 individuals, according to the Office for Civil Rights (OCR) breach report.

In a security notice posted on its website, Georgia DHS said hackers gained unauthorized access to employee email accounts between May 3 and May 15. After it became aware of the attack, DHS locked compromised accounts and blocked malicious actors. On August 10, DHS learned that the cybercriminals had been able to retain emails that contained protected health information (PHI) and personally identifiable information of children and adults involved in child protective services cases of the Georgia DHS Division of Family and Children services (DFCS).

DHS has since examined the emails in question and notified the customers whose information was accessed.

The access information may have included the following:

• Appointment dates
• Dates of birth
• DFCS case numbers
• DFCS identification numbers
• Email addresses
• Medicaid identification numbers
• Medicaid medical insurance identification numbers
• Medical provider names
• Full names of children and household members
• Phone numbers
• Social Security numbers

In addition, psychological reports, counseling notes, medical diagnoses, or substance abuse information for 12 individuals was included in the breach. One individual’s bank account number was disclosed.

DHS established a toll-free number for individuals concerned about their information being exposed as part of the breach.